Flash exploit targeting Internet Explorer versions 8 through 11

FireEye Research Labs identified a new Internet Explorer (IE) zero-day exploit used in targeted attacks. The vulnerability affects IE6 through IE11, but the attack is targeting IE9 through IE11. This zero-day bypasses both ASLR and DEP. Microsoft has assigned CVE-2014-1776 to the vulnerability and released security advisory to track this issue.

Using EMET may break the exploit in your environment and prevent it from successfully controlling your computer. EMET versions 4.1 and 5.0 break (and/or detect) the exploit in our tests.
Enhanced Protected Mode in IE breaks the exploit in our tests. EPM was introduced in IE10.
Additionally, the attack will not work without Adobe Flash. Disabling the Flash plugin within IE will prevent the exploit from functioning.

So many videos, especially uTube, depend on the Flash Player. Constantly enabling & disabling the Flash Plugin, is a pain! Disabling the flash player plugin isn't a good solution.

A better solution IMHO is stop using IE, it's a dog !
There are much better browser options or choices. IE: Chrome, Comodo Dragon or Firefox to name a few. Just a thought!
They also use a Flash Plugin, their own version, so not sure if they also suffer from the exploit.
Does anyone know ?

No; this current flaw is in IE, not Flash (although Flash is used by the current IE attacks).

The Microsoft Security Advisory linked above doesn't mention Flash at all, because there could be other means of exploiting the IE flaw (in vgx.dll).

I think only IE and Chrome have their own Flash updates.

Bruce

Sorry Bruce..my bad. When I said IE: (meaning, for instance) Chrome etc, maybe I should have said.. EG: Chrome etc.

Internet Explorer is not my 1st choice, if ever. I only use it, when M$ updates force me to use it.
Microsoft seems to think everyone who uses IE are tech types & know what all the IE options mean. Most of those I look after, don't have a clue what all the settings in IE mean or do ! Some of M$ explanations leave me puzzled & scratching my head & I've been working with the technology for 45 years..!

If you implement this M$ work around, to the letter, and don't remember to back them out when a fix is released.... future updates will probably fail!. Great !! More hand holding for many users.

Still, I guess, something, is better than nothing, especially for XP, which is stuck with IEV8 & it is only going to get worse! The die-hard users will hang on, experiencing more & more problems from virus or malware attacks as time passes! If they suffer enough, & they will, maybe they'll get the message ?

As you can enable Enhanced Protected Mode (>=IE 10), this seems to be an easy workaround, although as you will be running IE in 64 bit mode then you would also need to install the 64 bit version of Java should you use any sites that require it.

Sorry Bruce..my bad. When I said IE: (meaning, for instance) Chrome etc, maybe I should have said.. EG: Chrome etc.

Internet Explorer is not my 1st choice, if ever. I only use it, when M$ updates force me to use it.
Microsoft seems to think everyone who uses IE are tech types & know what all the IE options mean. Most of those I look after, don't have a clue what all the settings in IE mean or do ! Some of M$ explanations leave me puzzled & scratching my head & I've been working with the technology for 45 years..!

If you implement this M$ work around, to the letter, and don't remember to back them out when a fix is released.... future updates will probably fail!. Great !! More hand holding for many users.

Still, I guess, something, is better than nothing, especially for XP, which is stuck with IEV8 & it is only going to get worse! The die-hard users will hang on, experiencing more & more problems from virus or malware attacks as time passes! If they suffer enough, & they will, maybe they'll get the message ?

You don't need to use IE to run Windows update. You can switch a Firefox tab to an IE tab and run Windows Update in that tab, it is so good it even fools Microsoft. :^)

An e-blast from Steve Gibson's research center

I got my first ever e-mail from Gibson Research (Steve Gibson) about this. I shall quote:

Web browsers are growing insanely complex. It's pretty clear that they will be our next-generation operating platforms. And as the last annual "Pwn2Own" contest showed, none of them can currently withstand the focused attention of skilled and determined attackers, especially when some prize money is dangled on the other side of the finish line.

With most recent exploits, the path to exploitation is convoluted and complex. In this case it depends upon somehow encountering malicious Web content with IE's ActiveScripting enabled, which loads an Adobe SWF (Shockwave FLASH) file which, in turn, uses JavaScript in this vulnerable version of IE (presently all versions of IE). But it does this via an obscure and readily disabled VML (Vector Markup Language) rendering extension.

Thus, to immediately protect any use of Internet Explorer – yes, even on creaky old WinXP (the XPocalypse has been delayed) – simply execute the following incantation using either a Windows Command Prompt or the "Run..." dialog under the Start button (if you're lucky
enough to still have one on your Windows desktop):

regsvr32 -u "%CommonProgramFiles%\Microsoft Shared\VGX\vgx.dll"

This unregisters (-u) the VML renderer, thus rendering it inaccessible to the exploit attempt. Your IE browser will no longer be able to render vector markup language content... but it probably never did before, anyway.
/Steve.